The author is a Forbes contributor. The opinions expressed are those of the writer.

Loading ...

Loading ...

This story appears in the {{article.article.magazine.pretty_date}} issue of {{article.article.magazine.pubName}}. Subscribe

There was a time when you could cause a website to freeze up just by hitting enter repeatedly when your web browser was open to it. One of the techniques that became popular during the Iranian election protests was to use pagereload.com, a tool developed for click fraud, to continuously refresh a target site. If enough protesters could be induced to use the tool the webserver would roll over and die. In 2007 the Estonian defenders realized that many of their websites were based on Content Management Systems that built every web page on the fly from a database. Their primary defense was to cache as much content as they could as static pages.

There are many tricks of the trade for executing an effective Denial of Service attack. From brute force floods of packets, to SYN floods, to GET floods - continuously requesting the same page. Identifying the most compute intensive page to deliver is one trick of attackers. A site that has interactive data mining or an in depth search function is particularly vulnerable.

I interviews Mike Paquette, Chief Strategy Officer with Corero, to learn more about these types of attacks and the technology required to fend them off.

Watch the video or read the summary of salient points below:

Q: Tell us how Corero Network Security fits into the security landscape.

A: Corero Network Security is the new name for Top Layer Security. We changed our name just last week after the acquisition of Top Layer by Corero. Today CNS is the only company focused on the current and future of the network intrusion prevention solution as well as DDoS defense. You may recall Top Layer’s technology was one of the earliest solutions proposed for DDoS defense back in the year 2000 when some of the earliest DDoS attacks took place. Today Corero has rolled up Top Layer’s DDoS defense and intrusion prevention technology to provide technology solutions to enterprises worldwide.

Q: We’ve seen a number high profile DDoS attacks recently. What’s going on with that?

A: We see this as the third wave of DDoS activity on the internet. The first was the one I mentioned in the year 2000. Then around 2004 and 2005 we saw a lot of criminal extortion under threat of DDoS. A lot of gambling sites and online betting sites were targeted at that point. Today we’re seeing that the motivations for DDoS run the gamut from criminal extortion to personal or business unfair advantage to political or ideological motivations.

I use Google Alerts to track DDoS activity—I’ve done that for the past three years—and anecdotally I can tell you that the number of new instances of DDoS attacks has grown tremendously even in the last six months.

Q: We’ve even had state-motivated attacks against both Estonia and Georgia, along with Iran and several countries in the Middle East.

A: Absolutely. The internet has become both the voice of the people and another medium in which political activism can take place. If any organization today is taking a position or performing an action that might be controversial among their constituent community (or any other community), then if they don’t expect a cyber response or DDoS attack, they’re probably not thinking the situation through carefully enough.

Q: How have the attack technologies or methodologies changed?

A: In the early days we saw large-scale bandwidth consumption. Those DDoS attacks consisted of a large number of computers, usually organized into a bot-net, launching as much traffic as they could towards the intended victim. This caused overload of all kinds of network infrastructures, including switches, routers, and the internet service providers themselves.

Today we’re seeing slightly more sophisticated attacks. Rather than just launching these big bandwidth consumption streams of random packets towards the victim, what we’re seeing is that the bot-nets are making actual connections. They’ll establish a network level connection to the victim, then they’ll initiate heavyweight transactions. They may have already profiled the victim website to find out which types of transactions consume the most back-end CPU cycles, and they’ll make those requests repeatedly. Even though the attack may not be consuming all the victim’s band-width, it still has the desired effect of causing the denial of service condition.

Q: Typically, how many computers and people have to be engaged in that sort of computation-intensive attack?

A: The size of the bot-nets that we’re seeing performing these attacks has shrunk. In the past, for these large volume attacks, it wasn’t uncommon to see twenty or thirty thousand computers working in concert. Today one tenth that number can be effective in causing denial of service.

Q: Can people who host those critical servers do anything to keep a computation-intensive page from being exposed?

A: That’s very difficult to do. Suppose you ran a hardware store, and you built a great website for your business with search and compare capability. Suppose one of your customers browses your website and wants to compare all the nuts and bolts you have in inventory. Your website then queries your database and pulls back all the hardware you carry. That transaction itself happens to be fairly heavyweight, because it makes an extensive query of the database, and that might take one second, whereas normal transactions take one hundredth of a second. You’d think nothing of it—a second is very quick—but if you get a bot-net of three or four thousand computers making connections to your web server and asking you for that same query over and over again, before you know it your database server is exhausted and can no longer satisfy those requests, and thus the bad guys have achieved their goal: Your good customers can no longer get their transactions through.

Q: Where does Corero step into this?

A: Corero steps in with technology that resides very close to where the servers are, so we call this server-side or on-premises protection against denial of service attacks. Our technology is able to inspect not only a given transaction, but the behavior of transactions over time from each potential attacker. It’s very tricky because there’s nothing wrong with each individual transaction. If that transaction came from a real customer wanting to see the nuts and bolts from your hardware store, you’d think nothing of it. But, in aggregate, an attacker can be identified based on the number of times they’ve made a particular request, or the number of times they make the same request over and over again in sequence.

The technology Corero is introducing tracks the behavior of all the possible attackers and watches what they do over time. It uses a technique that we call a demerit score based credit scheme. As potential attackers perform transactions that are indicative of an attack they get demerits and which take away from a credit score that is kept by Corero’s DDoS defense system. If the activity continues the attacker loses credits and is no longer able to send any transaction through the server, thus preserving the server’s ability to satisfy real requests.

Q: So that’s how you get around the problem with many solutions that use a strict reputation system which may blacklist IP addresses that are no longer bad.

A: That’s correct. IP reputation-based approaches have some value, especially if they’re timely and up-to-date. They can indicate that an IP is currently being used by a bad actor. But the technology I described works independent of reputation. If someone is actively attacking in the way we talked about, even if we’ve never seen them in anyone’s IP reputation database before, then we’ll still be effective at mitigating the attack.

Q: What about the traditional syn-floods and attacks which just try to exhaust the front server?

A: Someone who is worried about DDoS attacks does still need to consider that they could be a victim of these large-scale bandwith consuming attacks. If that is a concern, then they do need to work with their internet service provider, and perhaps with a cloud-specialty anti-DDoS provider, because those organizations have infrastructures and massive amounts of internet bandwidth which can actually absorb gigantic attacks, filter out the majority of malicious traffic, and then send the good stuff through to the end user.

Q: Is there a particular client profile which should first look at Corero solutions before they explore more expensive in-the-cloud solutions?

A: I would think that any organization which has a high dependence on their ability to complete internet transactions for the preservation of their business or the organization’s mission needs to consider us first. This includes organizations using e-commerce, transaction based processing on the internet, and even online education, where the ability to deliver courses online is critical. Any organization with those types of dependencies should consider this technology.